[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7006) openldap does not accept wildcard certificates with mozilla/nss
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7006) openldap does not accept wildcard certificates with mozilla/nss
- From: hyc@symas.com
- Date: Fri, 30 Sep 2011 10:29:01 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
hash_oldap@cycdolphin.net wrote:
> Full_Name: Philippe Kueck
> Version: 2.4.23 / 2.4.26
> OS: RHEL 6.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (82.98.65.86)
>
>
> When compiled against Mozilla/NSS OpenLDAP does not accept wildcard
> certificates.
>
> This is probably because in tls_m.c the certificate CN (*.domain.example) is
> matched against the hostname (foo.domain.example), not against the domain
> (.domain.example).
>
> I suggest the following patch:
Thanks for the report, fixed in master.
>
> --%snip%--
> diff -Nru openldap-2.4.26-orig/libraries/libldap/tls_m.c
> openldap-2.4.26/libraries/libldap/tls_m.c
> --- openldap-2.4.26-orig/libraries/libldap/tls_m.c 2011-06-30 17:13:36.000000000
> +0200
> +++ openldap-2.4.26/libraries/libldap/tls_m.c 2011-08-01 16:29:42.000000000
> +0200
> @@ -2590,7 +2590,7 @@
> if ( av->len == nlen&& !strncasecmp( name, (char *)av->data, nlen )) {
> ret = LDAP_SUCCESS;
> } else if ( av->data[0] == '*'&& av->data[1] == '.'&&
> - domain&& dlen == av->len - 1&& !strncasecmp( name,
> + domain&& dlen == av->len - 1&& !strncasecmp( domain,
> (char *)(av->data+1), dlen )) {
> ret = LDAP_SUCCESS;
> } else {
> --%snip%--
>
>
> Kind regards,
>
> Philippe Kueck
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/